Capfire4, malware-as-a-service platform for crime

It’s not first time we discuss of cybercrime and in particular of its organizational models, creative servicex offer any kind of support to organizations and individuals that desire to conduct an attack against specific target.

Cyber criminals in the past have already used cloud architectures to rent computational resources to involve in powerful cyber attacks. Since now these platforms have been used to organize social networks for “customer care”, to develope file sharing services or to arrange hacking platforms to conduct automated pen test against the victims.

Unusual is the discovery made by a group of experts of the AlienVault, led by Alberto Ortega, on a new service that offers cyber-attack tools and hosting as part of malware-as-a-service.

Once again cybercrime operates as enterprise, the products proposed are tools for the organization of cyber attacks such as spam of malware, malware hosting, and a to build up a complete command and control infrastructure (C&C) for the arrangement of botnets.

The service is called Capfire4 and it’s a good example of C2C (Cybercrime to Cybercrime), the service provides technological support to criminals who haven’t necessary knowledge to conduct a cyber attack or to arrange a cyber scam.

How is provided the service?

In the simplest way, users can access to a Web portal that offers the possibility to create customized version of malware, to access to a management console to control bot of the infected networks. The owner of the portal proposed it as a service to remote control computers and recover passwords.

The service provided is cloud based and offers to the users a payment platform for the generation of malware and their control, all is documented with detailed tutorials.

The most popular malware on the portal are RAT (Remote administration tool), software created by to let the attacker spy on the victims with actions like keylogging, password stealing, command execution and remote access and controlling and screen capturing.

These tools are continually updated and improved to meet customer’s requirements, an excellent work made by specialists.

The platform also offer hosting service for the malware, once logged in the client can choose destination of the agent from a list of fake domains that appears like legitimate ones.

Of course the supply of similar services need of high skilled professional, the malware created must avoid antivirus and other defense system to be attractive for criminals. Due this reason the service provide also a rating mechanism for the detectability of the malware sold.

The platform also offer a management console, that uses HTTPS protocol with a valid certificate, for the malicious agent, client can use it to gain to complete control of infected system.

The researchers have discovered that is address of the C&C machine is from Brazil and it is always the same 174.142.93.226 , and the communication between the agents and the C&C is done using HTTP using other protocol from port 9000 for command execution.

The experts of AlienVault have also provided useful information regarding the platform and the detection of the malware sold, posting information on the C&C used, on the registration of the fake domains used for the hosting and providing the rules to detect the communication traffic and command execution requests.

Discoveries like these are of great concern for the following reasons:

Model malware-as-a-service is extremely dangerous because it links the cyber crime to the traditional crime that until now has been excluded for lack of adequate technological knowledge. It completely changes the morphology of the crime scenarios, these joint ventures attract capital and strengthen relations between criminal organizations.

The concern on the born of these services on the impact they have on the spread of malware is high. Many environments today are too vulnerable and scenarios that lie ahead are indeed worrying. The check of these pathways of contamination is mission critical.

Criminal models such as the one introduced make affordable production of malware, also contribute to the diversification of the agents making complex their detection due to subsequent processing and improving. These groups are led by professionals that are familiar with the mechanisms of antivirus detection of the manufacturers of security products. The spread of malware in this way could be used by terrorists or other groups wishing to conduct cyber attacks providing new and powerful weapons at low cost and without any special risks associated with their acquirement and detention.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.